PDF static analysis report

Static analysis result for SHA-256 73bb77ef540c3e70…

CLEAN

PDF

188.6 KB Created: 2017-05-25 03:33:38 -05:00 Authoring application: Microsoft® Office Word 2007 First seen: 2018-03-04
MD5: 764b1a5b171320b66d94f1ad4d33465d SHA-1: 4297a2962b092989ca9377c85878b2e73949a993 SHA-256: 73bb77ef540c3e706d011c0877c82dfbe8afe89d65eb4be6e8e14beabc9d7312
2 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document that exhibits characteristics of an advance-fee scam, as indicated by the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic. The document body, though heavily obfuscated, suggests a lure related to prizes or funds requiring parcel delivery. No scripts were extracted, and all embedded URLs were confirmed as benign, limiting the analysis to the scam lure itself.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 1

  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYou In PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/typography/0In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00002568.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2568 198956 bytes
SHA-256: 86b3c5895ae26cfebbbdec874320981047d984d31797639eb6b37c6de4faff6a
stream_005_off00019bbb.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19BBB 182936 bytes
SHA-256: f471e179113a57008df65a4033c980931dae742e343f95c1d2c4dfdb46e4916d